RE: Custom realm.authenticate() that would work with any realm - possible?
Hi Chuck, Thanks for the pointer to the CombinedRealm, but, as I've been working with the test implementation that I mentioned for extending the JNDIRealm, I *think* that I'm coming to the realization that I was asking for is probably not possible, or at least not practical, unless I'm totally missing something. The reason I'm thinking this is that, for example, in the case where I'm extending the JNDIRealm, in my custom JNDIRealm, I've had to make calls to the super.set() methods to set parameters in the JNDIRealm class that I'm extending, in order for the calls that I then make to the super class (e.g., super.getUser()) to work. Again, I may be missing something, or doing things completely wrong, but if not, then that means that if I was going to try go design my realm extender to support all of the normal realm types, my code would get fairly complex, because it'd have to know all of the parameters for all of the different realm types, in order to set the parameters in the super class. It was messy enough doing that for just one realm type (JNDIRealm), and for just calling two methods in the super JNDIRealm class, but I imagine if I was trying to extend 5 or 6 realm types, all in one piece of code, it'd be a real mess. Anyway, if anyone has some insight into doing something like this, please post back. Otherwise, I think the best approach is to implement one realm extension for each of the normal Tomcat realms that we'll want to be able to support. Thanks again, Jim Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Custom realm.authenticate() that would work with any realm - possible? I was wondering if there might, perhaps, be another way to do what I'm trying to do (basically have an realm.authenticate() method that doesn't require a password, but that would work with any realm? Look at the CombinedRealm; you might be able to use your no-password realm in conjunction with one of the others, since the doc says Authentication against any Realm will be sufficient to authenticate the user. I don't know if that will get you the necessary roles established. http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration on apache tomcat 6 - Oracle EL5
On 9 Dec 2011, at 07:54, Oladapo Moshood morec...@gmail.com wrote: On Thu, Dec 8, 2011 at 8:41 AM, Daniel Mikusa dmik...@vmware.com wrote: On Thu, 2011-12-08 at 08:22 -0800, Oladapo Moshood wrote: After the re-installation of the whole Apache Tomcat Native Library, I still get: Ok, take a step back for a second... 1.) What were the results of ./configure ...? If you could paste them in here, that would be helpful. Please attached is the config.log as requested. Also see below: This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --with-apr=/usr/local/apr-httpd/ You have an extra slash there, above. --with-java-home=/usr/lib/jvm/java-1.6.0-openjdk --with-ssl=/usr/lib/openssl ## - ## ## Platform. ## ## - ## hostname = opt01.petrodata.net uname -m = i686 uname -r = 2.6.18-128.el5xen uname -s = Linux uname -v = #1 SMP Wed Jan 21 11:55:02 EST 2009 /usr/bin/uname -p = unknown /bin/uname -X = unknown /bin/arch = i686 /usr/bin/arch -k = unknown /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/kerberos/sbin PATH: /usr/kerberos/bin PATH: /usr/local/sbin PATH: /usr/local/bin PATH: /sbin PATH: /bin PATH: /usr/sbin PATH: /usr/bin PATH: /root/bin ## --- ## ## Core tests. ## ## --- ## configure:1491: checking build system type configure:1509: result: i686-pc-linux-gnu configure:1517: checking host system type configure:1531: result: i686-pc-linux-gnu configure:1539: checking target system type configure:1553: result: i686-pc-linux-gnu configure:1580: checking for a BSD-compatible install configure:1635: result: /usr/bin/install -c configure:1653: checking for working mkdir -p configure:1669: result: yes configure:1762: checking for chosen layout configure:1764: result: tcnative configure:1921: checking for APR configure:2003: result: yes configure:2072: checking for a BSD-compatible install configure:2127: result: /usr/bin/install -c configure:2142: checking for JDK location (please wait) configure:2171: result: /usr/lib/jvm/java-1.6.0-openjdk configure:2247: checking Java platform configure:2273: checking Java platform configure:2279: result: The result field is empty... Not sure what that means. configure:2289: checking for sablevm configure:2320: result: NONE configure:2397: checking os_type directory configure:2518: checking for gcc configure:2544: result: gcc configure:2788: checking for C compiler version configure:2791: gcc --version /dev/null 5 gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44) Copyright (C) 2006 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:2794: $? = 0 configure:2796: gcc -v /dev/null 5 Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre That's not good though, above. --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.2 20080704 (Red Hat 4.1.2-44) configure:2799: $? = 0 configure:2801: gcc -V /dev/null 5 gcc: '-V' option must have argument configure:2804: $? = 1 configure:2827: checking for C compiler default output file name configure:2830: gccconftest.c 5 configure:2833: $? = 0 configure:2879: result: a.out configure:2884: checking whether the C compiler works configure:2890: ./a.out configure:2893: $? = 0 configure:2910: result: yes configure:2917: checking whether we are cross compiling configure:2919: result: no configure:2922: checking for suffix of executables configure:2924: gcc -o conftestconftest.c 5 configure:2927: $? = 0 configure:2952: result: configure:2958: checking for suffix of object files configure:2979: gcc -c conftest.c 5 configure:2982: $? = 0 configure:3004: result: o configure:3008: checking whether we are using the GNU C compiler configure:3032: gcc -c conftest.c 5 configure:3038: $? = 0 configure:3042: test -z || test ! -s conftest.err configure:3045: $? = 0 configure:3048: test -s conftest.o configure:3051: $? = 0 configure:3064: result: yes configure:3070: checking whether gcc accepts -g configure:3091: gcc -c -g conftest.c 5 configure:3097: $? = 0 configure:3101: test -z || test ! -s conftest.err configure:3104: $? = 0 configure:3107: test -s
Re: AJP connection timeout setting/Tomcat 6 vs. 7 questions
Kari Scott wrote: On Dec 6, 2011, at 2:25 PM, André Warnier wrote: Kari Scott wrote: We are running Tomcat 6. 0.32 with jdk1.6.0_26 on Solaris 10, mod_ajp 1.3 and Apache 2.2.21 on all but one production server which is the same except for it's running Tomcat 7.0.21. I have some questions regarding connection timeout settings. Occasionally, when the site is busier we see jumps in the number of connections to 8009 and then that number stays high for about 30 minutes before settling back down into our average range. A thread dump shows that these connections correspond to these socket threads: TP-Processor222 daemon prio=3 tid=0x00c76400 nid=0x5669 runnable [0x8cf7f000] java.lang.Thread.State: RUNNABLE at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1(BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) - locked 0xcb2a0eb0 (a java.io.BufferedInputStream) at org.apache.jk.common.ChannelSocket.read(ChannelSocket.java:628) at org.apache.jk.common.ChannelSocket.receive(ChannelSocket.java:566) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:693) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:662) The problem isn't so much that they stick around, but when these first start increasing, there is a noticeable hit in performance and evidence that threads are waiting for resources. Oddly, the one trial Tomcat 7 server with the same connector, load and code never experiences this problem. We currently don't have a connectionTimeout specified for our connector so my plan is to try the following: Connector port=8009 protocol=AJP/1.3 connectionTimeout=2 redirectPort=8443 / Here are my questions: *Do I also need to set the connection_pool_timeout in the worker? Or is that the one I should be changing instead of connectionTimeout? *Is there a different time out setting I should be looking at? *Is there an easy explanation as to why Tomcat 7 never experiences this issue? I'm just wondering (o.k. hoping) that there is some magic Tomcat 7 default setting some place that we can add to our Tomcat 6 environments that can help us out until we've upgraded everything. Just a question, to add to your excellent summary above : in your front-end server configuration, what are the settings related to keep-alive ? All the servers have the following Apache settings: KeepAlive On MaxKeepAliveRequests 200 KeepAliveTimeout 15 So, what happens if you set KeepAliveTimeout 3 ? And maybe, can you provide an example of the server.xml (comments and sensitive info removed) for both a server which experiences the issue, and for the 7.0 server which doesn't ? (paste them inside the message, the list strips most attachments). I sure can. I also removed some of the entries that were exactly the same so it's easier to see the differences: * Tomcat 7 server.xml: Server port=8005 shutdown=SHUTDOWN Service name=Catalina Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host /Engine /Service /Server Tomcat 6 server.xml: Server port=8005 shutdown=SHUTDOWN Service name=Catalina Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Valve className=com.jamonapi.http.JAMonTomcatValve/ Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server * So the big difference is the presence of the JaMON Valve we're using on Tomcat 6 and but accidentally forgot to put on Tomcat 7. Maybe this was a fortuitous mistake. I'll try removing it from one of our Tomcat 6 servers to see if that's the culprit. We don't need that access logging valve enabled on Tomcat 7 either, so this was a really good exercise to go through. Thanks! -kari _ Kari Scott Senior Programmer kari.sc...@cdw.com CDW 5520 Research Park Drive Madison, WI 53711 Office: 608 298 1223 Fax: 608 288 3007
Re: Custom realm.authenticate() that would work with any realm - possible?
On 09/12/11 18:02, oh...@cox.net wrote: Hi Chuck, Thanks for the pointer to the CombinedRealm, but, as I've been working with the test implementation that I mentioned for extending the JNDIRealm, I *think* that I'm coming to the realization that I was asking for is probably not possible, or at least not practical, unless I'm totally missing something. The reason I'm thinking this is that, for example, in the case where I'm extending the JNDIRealm, in my custom JNDIRealm, I've had to make calls to the super.set() methods to set parameters in the JNDIRealm class that I'm extending, in order for the calls that I then make to the super class (e.g., super.getUser()) to work. Again, I may be missing something, or doing things completely wrong, but if not, then that means that if I was going to try go design my realm extender to support all of the normal realm types, my code would get fairly complex, because it'd have to know all of the parameters for all of the different realm types, in order to set the parameters in the super class. It was messy enough doing that for just one realm type (JNDIRealm), and for just calling two methods in the super JNDIRealm class, but I imagine if I was trying to extend 5 or 6 realm types, all in one piece of code, it'd be a real mess. Anyway, if anyone has some insight into doing something like this, please post back. Otherwise, I think the best approach is to implement one realm extension for each of the normal Tomcat realms that we'll want to be able to support. Thanks again, Jim I have come to this thread rather late in the day and I don't want to confuse the situation... take my comment, if it is relevant, with caution. If it isn't relevant, don't let me spiral it off-topic. The servlet 3.0 spec allows for vendor specific Login-config auth-method values, e.g. tomcat uses NONE for containers that have not defined a login-config section. The standard login methods (FORM, BASIC, etc) are implemented as concrete classes that extend org.apache.catalina.authenticator.AuthenticatorBase (e.g. FormAuthenticator, BasicAuthenticator, etc). Have you considered writing a vendor specific NoPasswordAuthenticator class to do what you need? It needs to contain little more than an authenticate method that will be called by all appropriate code. I have just submitted a suggested fix to NonLoginAuthenticator (https://issues.apache.org/bugzilla/show_bug.cgi?id=52303) which shows how to inject an existing Principal instance into a SingleSignOn session. This might give you some idea how to achieve what you want without the complexity of subclassing all the standard realms. Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: RemoteIpFilter not working
Can you send a dump of the HTTP headers received by the webapp and the return value of the various request.getXXX methods? That would be very helpful, here. getRemoteAddr(): 85.214.210.60 -- proxy IP x-forwarded-for: 85.178.56.216 -- client IP x-forwarded-host: foobar.eu -- proxy x-forwarded-server: foobar.eu -- proxy It looks like the Filter does not kick in. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom realm.authenticate() that would work with any realm - possible?
Hi Jim. As I recall, your original issue was that there is no OAM plugin for Tomcat, and therefore, you are doing the OAM authentication within the front-end Apache, and then passing the user-id to Tomcat. And then, you find yourself in Tomcat with a user-id, but without any roles corresponding to this user-id. And in order to get such roles, you are now facing a rather complex programming issue at the Tomcat level. I wrote this before, but let me repeat it : are you not doing a lot of work un-necessarily there, and should you not look at this another way ? As far as I understand these Tomcat-level matters, a role in Tomcat is used to control access to resources. And you seem to use Tomcat's declarative type of acess-control, which means that you allow access or not to a given webapp, in function of whether the user-id (which is passed to Tomcat by the front-end) has or not a particular role. And, in the OAM system globally, the fact that a user has or not access to a particular resource, is already managed at the OAM level; but to which OAM level, unfortunately right now, you do not have access from Tomcat. But in this case, all your accesses to Tomcat webapps *always* happen through the front-end, because it is this front-end which obtains the user-id (from OAM) and later passes it to Tomcat. And this front-end thus *has* access to the OAM data. So what is stopping you from : - not using any authentication/access-control at the Tomcat level - but checking all this at the Apache httpd front-end level ? Example : suppose you have 3 webapps app1, app2, app3. You could have at the front-end level these sections : Location /app1 SetHandler jakarta-servlet (same as JkMount /app1) AuthType Oblix require valid-user require .. (whatever) /Location Location /app2 SetHandler jakarta-servlet (same as JkMount /app2) AuthType Oblix require valid-user require .. (whatever) /Location Location /app3 SetHandler jakarta-servlet (same as JkMount /app3) AuthType Oblix require valid-user require .. (whatever) /Location If the user does not pass muster for /app1 according to OAM, then the call will never even make it Tomcat. If the user passes muster, then you can let them access Tomcat's /app1 application, as they have been checked for it. Or am I missing something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Multiple Tomcats on the Machine
Hello
We have three instances of Tomcat on a Windows Server and want to access on
every instance several applications through the Manager app.
In every /Catalina/[hostname]/manager.xml is
Context docBase=${catalina.home}/webapps/manager
privileged=true antiResourceLocking=false
antiJARLocking=false
/Context
Could it be a problem, that the catalina.home only can point to one location
and this could occour some errors?
What is the best practices?
Alex
smime.p7s
Description: S/MIME cryptographic signature
add and modify globalnamingresources on the fly
Hi people, Is it possible to change globalnamingresources at tomcat and reflect the changes to a running instance without restart? I want do add and change datasources global resources dynamically without restart tomcat! Is it possible? I investigated probe (http://code.google.com/p/psi-probe/), but it only see pool usage and execute queries. thanks in advance marcelo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MVC or Model2 with Tomcat
On 08/12/2011 10:51, Blaxton wrote: snip On 6 Dec 2011, at 15:52, Blaxton blaxx...@yahoo.com wrote: I have added the host directive to server.xml and moved appexmp1 contents to ROOT directory and now I can access www.mydomain.com/index.jsp with no problem, however now the servlets are not working. I can access jsp files, but no servlets, I get The requested resource is not available message. as with following direction: http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html#context.xml_-_approach__1 I have created /Catalina_BASE/appexmp1/ROOT/META-INF/context.xml Ok, please remove the comments from your server.xml and post it inline, here. I have placed a HelloWorld.class file in /Catalina_BASE/appname/ROOT/WEB-INF/classes/com/mydomain but can't access the class through mydomain.com/app1/HelloWorld How have you defined the Servlet in ROOT/WEB-INF/web.xml? tried following context file variations but didn't work: Context path=/app1 docBase=. debug=0 reloadable=true crossContext=true /Context Never do the above. Context path=/app1 docBase=ROOT debug=0 reloadable=true crossContext=true /Context Or that. The 'path' attribute is not applicable here - in any case it's wrong. Remove the path and docBase attributes from the ROOT.xml file. p it seems to me , context file is not being read after adding the host directive to server.xml either when it is in /Catalina_BASE/conf/Catalina/local host or now that it is in /Catalina_BASE/appexmp1/ROOT/META-INF/context.xml thanks for help - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org OK, my mistake, I had JkMount /*.jsp and /app1/* rather than JkMount /* in httpd-vhost.com changed it as you mentioned to JkMount /* and servlets works now. Also removed path and docbase from context.xml so we can't have default application in ROOT and path in context file ? haven't tried it , but I think we could achieve the same thing with JkAutoAlias which one is recommended ? JkAutoAlias or adding host directive in server.xml ? Thank you very much for help I achieved what i was looking for. Sorry but there is one more problem. now that I have JkMount /* in vhost1_httpd.conf every thing will be forwarded to tomcat other than *.html because there is a JkUnMount /*.html line in vhost1_httpd.conf but still when I browse mydomain.com/ I get the tomcat error The requested resource() is not available. why is that ? Some mod_jk config voodoo is bubbling up into my memory. I can't see it in the docs, but try: JKMount /|* worker Which version of mod_jk are you using? I have added welcome directive to web.xml as follow: welcome-file-list welcome-fileindex.html/welcome-file /welcome-file-list This tells Tomcat to look for index.html in its own resource location. Is it there or are you expecting HTTPD to do that for you? I think you probably want to put index.jsp instead. and following is DirectoryIndex in vhost1_httpd.conf file: DirectoryIndex index.jsp index.html index.php I can access mydomain.com/index.html but getting error when accessing mydomain.com/ Check the access logs to see which server is sending the file. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Ok, thanks I have added JkUnMount / appexmp1worker Eh? and with following directive: DirectoryIndex index.html I can access mydomain.com/ and the default index.html will be displayed. Yes, I'd expect that. however, with DirectoryIndex index.jsp because of JkMount /* all requests , including .jsp files would be forwarded to tomcat and I should place index.jsp file where we defined the appbase. Is that a question? NB Do not put any files straight in appBase. Only put files inside a appBase/ROOT or whatever applications directories are there. If you want Tomcat to find serve index.jsp for a '/' request, then you need: welcome-file-list welcome-fileindex.jsp/welcome-file /welcome-file-list If you have index.html and Servlets, either Tomcat can serve the HTML, or HTTPD. In the latter case you'll need to ensure that requests for / and /index.html are not forwarded to Tomcat. Can we revisit what you are trying to achieve here? p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat JMX/RMI: How server interface is choosen?
On 08/12/2011 11:15, Ilya Kazakevich wrote: I enable JMX server and JMX Registry in tomcat using Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener rmiRegistryPortPlatform=10001 rmiServerPortPlatform=10002 / Client connects to 10001 and tomcat returns its address and port 10002, right? But if I have several addresses on the interface tomcat returns the first one. Exact OS, Java, Tomcat versions please? Is it tomcat or RMI issue? This listener binds the JMX server to 'localhost'. It aims to help when both JMX ports need to be known, e.g. when you're making a connection through a firewall. How can I set interface and/or ip address to be returned to the client? You can configure JMX manually. Is it possible to use JMX directly over the one TCP port with out of all that RMI stuff? JMX can support multiple protocols, RMI is the one supported OOTB. You can configure JMXMP if you find the optional support jar. I'm not sure what its status is, so YMMV. p Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat 7.0.23 won't start
On 08/12/2011 15:04, Jacob Champlin wrote: Add a Realm definition or wait until 7.0.24. There's a bug in 7.0.23. I am waiting for 7.0.24. I'm wincing as I ask: is there a particular reason that you're defining the Context in server.xml - it's been strongly recommended to not do that for quite a while. Okay, I will byte. Pun intended? p Practical: This was my sandbox config file. I switch between 6 different applications. I do this by switching server.xml files when I switch projects. This keeps things minimal (not starting up 6 connection pools), its easier to switch one file, and it makes restarts faster. Opinion: I hate over decomposition and I preferred the days when tomcat was only configured with server.xml. Tomcat's configuration is not that complicated, do we really need a bunch of configuration files. Its bad when one thing becomes two, and hence good when two things become one. I bet your also in the micro kernel camp. I know lots of people clamored for being able to configure the connection pool in there war file. I don't know why anyone would do this, our WAR file runs in any environment where the jndi name is present. They have to build separate WAR files for each environment. Basicly I think the context.xml is stupid. If it matters so much change the document definition. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat 7.0.23 won't start
On 08/12/2011 18:42, Christopher Schultz wrote: Jacob, On 12/8/11 10:04 AM, Jacob Champlin wrote: Practical: This was my sandbox config file. I switch between 6 different applications. I do this by switching server.xml files when I switch projects. This keeps things minimal (not starting up 6 connection pools), its easier to switch one file, and it makes restarts faster. You could do this in other ways. One way I like to do this is with different CATALINA_BASE structures. This makes upgrading easier (for me), too. Another way is to move deployment descriptors in-to or out-of the conf/Catalina/localhost directory. Likewise, you could choose to include (or not) foo.war in the webapps/ auto-deployment directory. +1 Splitting _HOME _BASE is clean. Opinion: I hate over-decomposition and I preferred the days when tomcat was only configured with server.xml. Fair enough. I don't think it's a case of over-decomposition, personally. Tomcat's configuration is not that complicated, do we really need a bunch of configuration [files?] There are already a bunch of configuration files. Modifying server.xml requires a Tomcat restart to re-read the config file. The other methods offer greater flexibility and are, IMHO, easier to do, anyway. Also, it's tougher to disable a Tomcat instance with a broken META-INF/context.xml than it is to disable one with a broken server.xml. Its bad when one thing becomes two, and hence good when two things become one. That's far to general a statement to hold water IMO. I'd argue a negative premise on that one. Dying is bad, but un-dying is *way* worse. ... brains . bet your also in the micro kernel camp. Flame bait ignored. LMAO That's a hell of a judgement considering I only asked a simple question. I know lots of people clamored for being able to configure the connection pool in there war file. I'm not really sure I know of any evidence to that effect. There's nothing to stop people programmatically configuring their DB pool in their app - and in fact that's what many people using Hibernate are actually doing. I'm not sure that would have been a good idea, as it's generally a service offered by the system and not configured by the webapp. Maybe you meant the TC deployment descriptor (context.xml) which can be totally controlled by the sys admin and need not be in the WAR file itself. I don't know why anyone would do this, our WAR file runs in any environment where the jndi name is present. See above. Yes, that's the point. You're using Recommended Technique(TM). They have to build separate WAR files for each environment. Nope. Just because it's Recommended Technique doesn't mean that it's best and/or appropriate for your (or anyone's) environment. There are always some good (and usually lots of bad) reasons to deviate from that. Basically I think the context.xml is stupid. If it matters so much change the document definition. Sounds like your webapp doesn't need a context.xml. How's that for simplicity and ease of configuration? +1 p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: add and modify globalnamingresources on the fly
On 09/12/2011 12:31, Marcelo Romulo Fernandes wrote: Hi people, Is it possible to change globalnamingresources at tomcat and reflect the changes to a running instance without restart? I want do add and change datasources global resources dynamically without restart tomcat! Which version of Tomcat? I don't believe it is possible. p Is it possible? I investigated probe (http://code.google.com/p/psi-probe/), but it only see pool usage and execute queries. thanks in advance marcelo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Tomcat memory allocation
Hello Following advice found elsewhere on the internet, I've just added the following line to the catalina.bat file in my installation of tomcat 6.0.26: set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. But what exactly is: -XX:MaxPermSize=128m Should it be set to an addition of the other settings, or the other settings to an addition of it? Thanks Martin O'Shea - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Tomcat memory allocation Following advice found elsewhere on the internet Always to be taken with large chunks of salt. set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m You would be better off using CATALINA_OPTS, since setting JAVA_OPTS pointlessly affects the shutdown script as well as the startup one. I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. In a server environment, you normally want Xms and Xmx set to the same value to avoid heap thrashing. The exact size is completely dependent on what your webapps need. But what exactly is: -XX:MaxPermSize=128m It's the amount of space to which the so-called permanent generation can expand. PermGen holds primarily instances of java.lang.Class, so it only needs to be specified if you have a large number of classes in your environment. Should it be set to an addition of the other settings, or the other settings to an addition of it? What does that question mean? PermGen size is completely independent of the heap size. Make sure you have enough RAM available on the system to support the Xmx + PermGen + a_lot_of_other_stuff. Monitor the system to make sure you're not getting into paging. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
Thanks for this Chuck. I realise now what is happening. I thought the PermGen space was used in the heap when now I see it as just storing class definitions. So I could reduce it below 128Mb if I choose. Is there a default value? As to setting Xms and Xmx to the same, I will do that. A job hung earlier and I wonder if memory was to blame although there is nothing in the system or server logs to say so. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 14 46 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Tomcat memory allocation Following advice found elsewhere on the internet Always to be taken with large chunks of salt. set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m You would be better off using CATALINA_OPTS, since setting JAVA_OPTS pointlessly affects the shutdown script as well as the startup one. I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. In a server environment, you normally want Xms and Xmx set to the same value to avoid heap thrashing. The exact size is completely dependent on what your webapps need. But what exactly is: -XX:MaxPermSize=128m It's the amount of space to which the so-called permanent generation can expand. PermGen holds primarily instances of java.lang.Class, so it only needs to be specified if you have a large number of classes in your environment. Should it be set to an addition of the other settings, or the other settings to an addition of it? What does that question mean? PermGen size is completely independent of the heap size. Make sure you have enough RAM available on the system to support the Xmx + PermGen + a_lot_of_other_stuff. Monitor the system to make sure you're not getting into paging. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple Tomcats on the Machine
On 09/12/2011 11:54, Alexander Diedler wrote:
Hello
We have three instances of Tomcat on a Windows Server and want to access
on every instance several applications through the Manager app.
In every /Catalina/[hostname]/manager.xml is
Context docBase=${catalina.home}/webapps/manager
privileged=true antiResourceLocking=false
antiJARLocking=false
/Context
Could it be a problem, that the catalina.home only can point to one
location and this could occour some errors?
When any application is shared by multiple running Tomcats, you could
run into errors, yes. I wouldn't like to guess what they'd be - but the
manager app is fairly simple so you might get away with it.
What is the best practices?
Don't share the application!
Disk space is cheap, the application is small. Just make a copy put
it in the ${catalina.base}/webapps (or wherever the appBase is).
p
Alex
--
[key:62590808]
signature.asc
Description: OpenPGP digital signature
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation So I could reduce it below 128Mb if I choose. Is there a default value? Yes - for each platform and JVM type. Use JConsole on a running JVM to see what it is. A job hung earlier and I wonder if memory was to blame although there is nothing in the system or server logs to say so. That's what stack traces are for. Use JConsole or jstack to see what's going on in a running JVM. Much better to investigate than throw darts at the problem and hope you hit the target. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat memory allocation
Op vrijdag, 9 december 2011 16:11 schreef Pid p...@pidster.com: On 09/12/2011 14:52, Martin O'Shea wrote: -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 14 46 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Tomcat memory allocation Following advice found elsewhere on the internet Always to be taken with large chunks of salt. set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m You would be better off using CATALINA_OPTS, since setting JAVA_OPTS pointlessly affects the shutdown script as well as the startup one. I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. In a server environment, you normally want Xms and Xmx set to the same value to avoid heap thrashing. The exact size is completely dependent on what your webapps need. But what exactly is: -XX:MaxPermSize=128m It's the amount of space to which the so-called permanent generation can expand. PermGen holds primarily instances of java.lang.Class, so it only needs to be specified if you have a large number of classes in your environment. Should it be set to an addition of the other settings, or the other settings to an addition of it? What does that question mean? PermGen size is completely independent of the heap size. Make sure you have enough RAM available on the system to support the Xmx + PermGen + a_lot_of_other_stuff. Monitor the system to make sure you're not getting into paging. Thanks for this Chuck. I realise now what is happening. I thought the PermGen space was used in the heap when now I see it as just storing class definitions. So I could reduce it below 128Mb if I choose. Is there a default value? As to setting Xms and Xmx to the same, I will do that. A job hung earlier and I wonder if memory was to blame although there is nothing in the system or server logs to say so. Connect VisualVM to your Tomcat instance and use the monitor tab to observe the actual PermGen usage. It should be pretty stable, unless you're doing something funky like generating classes or using RMI. You'll then know how much you need to allocate. p -- [key:62590808] Don't forget jstat also: $ jstat -gc -h 10 -t 84762 3s TimestampS0CS1CS0US1U EC EUOC OU PC PUYGC YGCTFGCFGCT GCT 700819.2 1792.0 1792.0 288.0 0.0640.0289.280320.061284.6 95296.0 95013.75163.182 20064.692 67.874 700822.2 1792.0 1792.0 288.0 0.0640.0289.280320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 700825.2 1792.0 1792.0 288.0 0.0640.0289.280320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 700828.2 1792.0 1792.0 288.0 0.0640.0289.280320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 700831.1 1792.0 1792.0 288.0 0.0640.0315.580320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 700834.2 1792.0 1792.0 288.0 0.0640.0323.080320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 700837.2 1792.0 1792.0 288.0 0.0640.0323.080320.0 61284.6 95296.0 95013.75163.182 20064.692 67.874 Ronald.
RE: Tomcat memory allocation
On Fri, 2011-12-09 at 06:52 -0800, Martin O'Shea wrote: Thanks for this Chuck. I realise now what is happening. I thought the PermGen space was used in the heap when now I see it as just storing class definitions. So I could reduce it below 128Mb if I choose. Is there a default value? This is a useful article which describes many of the common JVM options and their defaults. http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html It lists -XX:MaxPermSize as a default of 64M with the following exceptions: [5.0 and newer: 64 bit VMs are scaled 30% larger; 1.4 amd64: 96m; 1.3.1 -client: 32m.]. If I connect to a Java process on my Linux system with a 64-bit JVM, I see a max of roughly 64M + 30% (i.e. about 83M). Dan As to setting Xms and Xmx to the same, I will do that. A job hung earlier and I wonder if memory was to blame although there is nothing in the system or server logs to say so. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 14 46 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Tomcat memory allocation Following advice found elsewhere on the internet Always to be taken with large chunks of salt. set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m You would be better off using CATALINA_OPTS, since setting JAVA_OPTS pointlessly affects the shutdown script as well as the startup one. I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. In a server environment, you normally want Xms and Xmx set to the same value to avoid heap thrashing. The exact size is completely dependent on what your webapps need. But what exactly is: -XX:MaxPermSize=128m It's the amount of space to which the so-called permanent generation can expand. PermGen holds primarily instances of java.lang.Class, so it only needs to be specified if you have a large number of classes in your environment. Should it be set to an addition of the other settings, or the other settings to an addition of it? What does that question mean? PermGen size is completely independent of the heap size. Make sure you have enough RAM available on the system to support the Xmx + PermGen + a_lot_of_other_stuff. Monitor the system to make sure you're not getting into paging. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
Sorry to belabour this but if I create a setenv.bat file with settings: set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m where should the file go and does it need to be called from anywhere? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 15 29 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation Sorry to belabour this but if I create a setenv.bat file with settings: set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m where should the file go and does it need to be called from anywhere? Put it in Tomcat's bin directory. The startup scripts look for it and call it if found. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
I should add that Tomcat is running as a Windows service, it isn't started manually. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 15 29 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat memory allocation
Martin O'Shea wrote: I should add that Tomcat is running as a Windows service, it isn't started manually. Then the .bat files are not used. Call up the tomcat?w.exe program, and edit the settings in the Java tab. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 15 29 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat memory allocation
On 12/9/2011 10:49 AM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. Or directly in the registry (tomcat?w just changes those entries). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
This gets weirder. I believe I should be looking in the Windows Registry under: HKEY_LOCAL_MACHINE SOFTWARE Apache Software Foundation Procrun 2,0 But I have no such settings. I simply have: (Default) InstallPath Version But I have: JvmMS (set to 128) jvmMX (set to 256) Under HKEY_LOCAL_MACHINE SOFTWARE Wow6432Node Apache Software Foundation Procrun 2.0 Tomcat 6 Parameters Java If I want to increase Xmx memory, is jvmMX the one to edit? Or both to set them to the same value. -Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: 09 Dec 2011 16 02 To: users@tomcat.apache.org Subject: Re: Tomcat memory allocation On 12/9/2011 10:49 AM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. Or directly in the registry (tomcat?w just changes those entries). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I believe I should be looking in the Windows Registry DO NOT edit the Windows registry - you will break something. Use the tomcat?w.exe utility; that's what it's for. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat memory allocation
David kerber wrote: On 12/9/2011 10:49 AM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. Or directly in the registry (tomcat?w just changes those entries). I wouldn't do that. According to Microsoft, editing the Registry directly can cause your teeth to turn green and rot, your hair to fall off your head and grow on your back, and can cause the java heap to boil over and stain your keyboard. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: upgrading from 6.0.20 to 6.0.35
On Thu, Dec 8, 2011 at 11:13 PM, Pid * p...@pidster.com wrote: Yes, but we still usually recommend starting afresh each time. It should relatively simple, just make a backup copy of each file you edit, first. Somewhat OT, but I would like to recommend git (http://git-scm.com/) as the *perfect* way to manage configurations. It's an unobtrusive, simple way to track your changes without the clutter of extraneous backup files. And you can easily keep remote repository copies as well. FWIW, -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple Tomcats on the Machine
- Original Message -
From: Pid p...@pidster.com
To: Tomcat Users List users@tomcat.apache.org
Cc:
Sent: Friday, December 9, 2011 6:58 AM
Subject: Re: Multiple Tomcats on the Machine
On 09/12/2011 11:54, Alexander Diedler wrote:
Hello
We have three instances of Tomcat on a Windows Server and want to access
on every instance several applications through the Manager app.
In every /Catalina/[hostname]/manager.xml is
Context docBase=${catalina.home}/webapps/manager
privileged=true antiResourceLocking=false
antiJARLocking=false
/Context
Could it be a problem, that the catalina.home only can point to one
location and this could occour some errors?
When any application is shared by multiple running Tomcats, you could
run into errors, yes. I wouldn't like to guess what they'd be - but the
manager app is fairly simple so you might get away with it.
What is the best practices?
Don't share the application!
Disk space is cheap, the application is small. Just make a copy put
it in the ${catalina.base}/webapps (or wherever the appBase is).
+1
p
Alex
Alex,
It sounds like you're running multiple virtual hosts from one Tomcat instance.
At least that's the clue I get from the following line:
In every /Catalina/[hostname]/manager.xml is
I'm guessing you meant %CATALINA_HOME%\conf\Catalina\[hostname]\manager.xml ?
There's an article on the Tomcat Wiki that describes a setup with virtual
hosts. One of the issues it covers is the manager application.
The article: http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts
It's a bit dated, but I think still accurate.
The key is to create a manager application for each virtual host. This means
you'll copy the manager application over to each virtual host's appBase, and
the manager.xml context file is then just a copy of what is currently shipped
with Tomcat.
As Pid has said, disk space is cheap, so creating completely separate virtual
hosts is the cleanest way to accomplish this.
I've set up systems like this for production, and it seems to work quite well.
just my two cents . . . .
/mde/
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6.0 configuration with Adobe LiveCycle DS ES 3.0 Server
Hi, I want to Configure my Web Server(Tomcat 6.0) so that it can communicate with Adobe LiveCycle DS ES 3.0 Server. I want to know how I can configure my WebServer Tomcat 6.0. for this. Your early response will be appreciated. Thanking You, Anshul Asthana
Re: Tomcat 7 Valve not logging correct response size
On 12/5/2011 9:29 AM, Konstantin Kolinko wrote: 2011/12/5 Antonios Kogiasco...@hua.gr: Good morning, I'm using Tomcat 7.0.16 and a Valve in the server.xml file that uses the %B option to log the Bytes sent, excluding HTTP headers (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html). Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%H %p %m %D %s %B %a %tquot;%rquot; resolveHosts=false/ This works correctly for small response size (up to 30-40 kB), but for bigger sizes it doesn't; it only writes zero as response size in the web access log (I have tested that with 100 kB and 1000 kB static files). Any idea why is that happening and what can be done to overcome? Antonios PS. OS is MS Windows XP 32bit SP3 1. What happens with 7.0.23? 2. Are you sure that the file was delivered to the client? Was the time taken to process the request greater than zero? Was ir response 200 OK, or 304 Not modified? In the latter case the file is not sent, because the clint already has a copy of it. 3. What connectors are you using and what are their settings? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *1. What happens with 7.0.23?* I tried 7.0.23 with the same results. Files of 1k, 10k, 25k get logged correctly, but files greater than that (50k, 75k, 100k, 1000k) are logged as size zero(0). *2. Are you sure that the file was delivered to the client? Was the* *time taken to process the request greater than zero? Was ir response* *200 OK, or 304 Not modified? In the latter case the file is not sent,* *because the clint already has a copy of it.* The files were all correctly delivered to the client. The time taken to process the request (option %D) is greater than zero most of the time, with occasional zeroes. All responses are 200 OK. *3. What connectors are you using and what are their settings?* In the experiment I'm running, I'm using the following simple Connector (server.xml): Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 maxThreads=1 acceptCount=1 maxConnections=1 maxKeepAliveRequests=1 / There are four different settings for the experiments: maxThreads=1 acceptCount=1 ,maxConnections=2 maxThreads=1 acceptCount=100 ,maxConnections=101 maxThreads=100 acceptCount=1 ,maxConnections=101 maxThreads=100 acceptCount=100 ,maxConnections=200 However, the same behavior as described in (1) above consistently appears in any setting.
Tomcat Silently Dies and then Won't Restart -- Error 1067
Tomcat 6 on our Windows 2003 R2 x64 server runs fine for a day or two, then silently dies without leaving any messages in the log files. Then when we try to restart it, we get a Windows error 1067 and the service will not start. We have to reboot the whole server and then tomcat will work fine again for a couple of days. Has anyone else seen a problem like this? -- Eric Robinson Disclaimer - December 9, 2011 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physicians' Managed Care or Physician Select Management. Warning: Although Physicians' Managed Care or Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
Re: Tomcat Silently Dies and then Won't Restart -- Error 1067
On Fri, Dec 9, 2011 at 21:33, Robinson, Eric eric.robin...@psmnv.com wrote: Tomcat 6 on our Windows 2003 R2 x64 server runs fine for a day or two, then silently dies without leaving any messages in the log files. Then when we try to restart it, we get a Windows error 1067 and the service will not start. We have to reboot the whole server and then tomcat will work fine again for a couple of days. Has anyone else seen a problem like this? It looks like a native error, ie a JVM error. Can you locate some hs_err_ files in your Tomcat installation? -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 Valve not logging correct response size
From: Antonios Kogias [mailto:co...@hua.gr] Subject: Re: Tomcat 7 Valve not logging correct response size Files of 1k, 10k, 25k get logged correctly, but files greater than that (50k, 75k, 100k, 1000k) are logged as size zero(0). Are you getting chunked output, by any chance? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat xerces conflicts and Endorsed,Standards Override Mechanism
Hello Tomcat Users, I am having a problem with xerces and other jars in the JDK or Tomcat conflicting with jars in my app. I am getting the following exception when instantiating Smooks, a csv library that usese xerces, in a web app running in Tomcat: java.lang.IncompatibleClassChangeError: Class org.jaxen.JaxenHandler does not implement the requested interface org.jaxen.saxpath.XPathHandler I found something in the Tomcat docs and at Oracle about Endorsed Standards Override Mechanism. http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html So I followed the directions and placed the jaxen-1.1.1.jar in the Tomcat endorsed directory. I ran the app again and got a diferent exception: org.apache.xerces.impl.dv.DVFactoryException: DTD factory class org.apache.xerces.impl.dv.dtd.DTDDVFactoryImpl does not extend from DTDDVFactory. I then placed xercesImpl-2.6.2.jar in the Tomcat endorsed directory. I ran the app again and got a diferent exception: java.lang.NoSuchMethodError: org.apache.xerces.impl.xs.XMLSchemaLoader.loadGrammar([Lorg/apache/xerces/xni/parser/XMLInputSource;)V This makes me think I am on the right track and the exceptions I am getting seem to point to the wrong classes being loaded. My question is, is their a set of XML related jars that I should take out of my app and place in this endorsed directory or is there a different way of fixing this problem ? Thanks, Warren Bell - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Valve not logging correct response size
2011/12/9 Antonios Kogias co...@hua.gr: On 12/5/2011 9:29 AM, Konstantin Kolinko wrote: 2011/12/5 Antonios Kogiasco...@hua.gr: Good morning, I'm using Tomcat 7.0.16 and a Valve in the server.xml file that uses the %B option to log the Bytes sent, excluding HTTP headers (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html). Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%H %p %m %D %s %B %a %tquot;%rquot; resolveHosts=false/ This works correctly for small response size (up to 30-40 kB), but for bigger sizes it doesn't; it only writes zero as response size in the web access log (I have tested that with 100 kB and 1000 kB static files). Any idea why is that happening and what can be done to overcome? Antonios PS. OS is MS Windows XP 32bit SP3 1. What happens with 7.0.23? 2. Are you sure that the file was delivered to the client? Was the time taken to process the request greater than zero? Was ir response 200 OK, or 304 Not modified? In the latter case the file is not sent, because the clint already has a copy of it. 3. What connectors are you using and what are their settings? *1. What happens with 7.0.23?* I tried 7.0.23 with the same results. Files of 1k, 10k, 25k get logged correctly, but files greater than that (50k, 75k, 100k, 1000k) are logged as size zero(0). *2. Are you sure that the file was delivered to the client? Was the* *time taken to process the request greater than zero? Was ir response* *200 OK, or 304 Not modified? In the latter case the file is not sent,* *because the clint already has a copy of it.* The files were all correctly delivered to the client. The time taken to process the request (option %D) is greater than zero most of the time, with occasional zeroes. All responses are 200 OK. *3. What connectors are you using and what are their settings?* In the experiment I'm running, I'm using the following simple Connector (server.xml): Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 maxThreads=1 acceptCount=1 maxConnections=1 maxKeepAliveRequests=1 / Good. (Though you are not saying what exactly connector you are using, because the value of protocol=HTTP/1.1 autoselects between two connector implementations.) I was able to reproduce your issue, see https://issues.apache.org/bugzilla/show_bug.cgi?id=52316 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0 configuration with Adobe LiveCycle DS ES 3.0 Server
On 09/12/2011 18:52, Anshul Asthana wrote: Hi, I want to Configure my Web Server(Tomcat 6.0) so that it can communicate with Adobe LiveCycle DS ES 3.0 Server. I want to know how I can configure my WebServer Tomcat 6.0. for this. Your early response will be appreciated. Sorry I couldn't respond sooner. Could you please read the following document: j.mp/smrtqu Let us know once you've done so we can begin the next step in the process. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat memory allocation
On 09/12/2011 16:37, André Warnier wrote: David kerber wrote: On 12/9/2011 10:49 AM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. Or directly in the registry (tomcat?w just changes those entries). I wouldn't do that. According to Microsoft, editing the Registry directly can cause your teeth to turn green and rot, your hair to fall off your head and grow on your back, and can cause the java heap to boil over and stain your keyboard. This man tried editing the registry BY HAND: http://www.youtube.com/watch?v=wvsboPUjrGc p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Tomcat 6.0 configuration with Adobe LiveCycle DS ES 3.0 Server
Where can I find j.mp/smrtqu Regards, Anshul From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Saturday, 10 December 2011 4:36 AM Subject: Re: Tomcat 6.0 configuration with Adobe LiveCycle DS ES 3.0 Server On 09/12/2011 18:52, Anshul Asthana wrote: Hi, I want to Configure my Web Server(Tomcat 6.0) so that it can communicate with Adobe LiveCycle DS ES 3.0 Server. I want to know how I can configure my WebServer Tomcat 6.0. for this. Your early response will be appreciated. Sorry I couldn't respond sooner. Could you please read the following document: j.mp/smrtqu Let us know once you've done so we can begin the next step in the process. p -- [key:62590808]
Re: Custom realm.authenticate() that would work with any realm - possible?
André Warnier a...@ice-sa.com wrote: Hi Jim. As I recall, your original issue was that there is no OAM plugin for Tomcat, and therefore, you are doing the OAM authentication within the front-end Apache, and then passing the user-id to Tomcat. And then, you find yourself in Tomcat with a user-id, but without any roles corresponding to this user-id. And in order to get such roles, you are now facing a rather complex programming issue at the Tomcat level. I wrote this before, but let me repeat it : are you not doing a lot of work un-necessarily there, and should you not look at this another way ? As far as I understand these Tomcat-level matters, a role in Tomcat is used to control access to resources. And you seem to use Tomcat's declarative type of acess-control, which means that you allow access or not to a given webapp, in function of whether the user-id (which is passed to Tomcat by the front-end) has or not a particular role. And, in the OAM system globally, the fact that a user has or not access to a particular resource, is already managed at the OAM level; but to which OAM level, unfortunately right now, you do not have access from Tomcat. But in this case, all your accesses to Tomcat webapps *always* happen through the front-end, because it is this front-end which obtains the user-id (from OAM) and later passes it to Tomcat. And this front-end thus *has* access to the OAM data. So what is stopping you from : - not using any authentication/access-control at the Tomcat level - but checking all this at the Apache httpd front-end level ? Example : suppose you have 3 webapps app1, app2, app3. You could have at the front-end level these sections : Location /app1 SetHandler jakarta-servlet (same as JkMount /app1) AuthType Oblix require valid-user require .. (whatever) /Location Location /app2 SetHandler jakarta-servlet (same as JkMount /app2) AuthType Oblix require valid-user require .. (whatever) /Location Location /app3 SetHandler jakarta-servlet (same as JkMount /app3) AuthType Oblix require valid-user require .. (whatever) /Location If the user does not pass muster for /app1 according to OAM, then the call will never even make it Tomcat. If the user passes muster, then you can let them access Tomcat's /app1 application, as they have been checked for it. Or am I missing something ? Hi, Yes, you are missing something, something akin to the last mile. Following your example, of /app1, suppose that that is a webapp that requires a known user (principal). The security JSP example in Tomcat is an example of this. You can use something like OAM to protect (permit or deny) access, but once you get to the /app1, you wouldn't be logged into the app itself, not only for declarative type constraints, but also, for example, if the app does things like give you access to only specified resources (e.g., database tables, etc.) based on who you are. So, for example with the security example, with just OAM, and without anything else, you end up on the form login page, instead of it saying Hi, x. Just some examples there... Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Silently Dies and then Won't Restart -- Error 1067
Tomcat 6 on our Windows 2003 R2 x64 server runs fine for a day or two, then silently dies without leaving any messages in the log files. Then when we try to restart it, we get a Windows error 1067 and the service will not start. We have to reboot the whole server and then tomcat will work fine again for a couple of days. Has anyone else seen a problem like this? It looks like a native error, ie a JVM error. Can you locate some hs_err_ files in your Tomcat installation? Thanks for the suggestion. I searched the whole system and did not find any such files. --Eric Disclaimer - December 9, 2011 This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physicians' Managed Care or Physician Select Management. Warning: Although Physicians' Managed Care or Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Silently Dies and then Won't Restart -- Error 1067
From: Robinson, Eric [mailto:eric.robin...@psmnv.com] Subject: RE: Tomcat Silently Dies and then Won't Restart -- Error 1067 Tomcat 6 on our Windows 2003 R2 x64 server runs fine for a day or two, then silently dies without leaving any messages in the log files. Buried somewhere in the Windows (not Tomcat) logs should be more information about the 1067. Unfortunately, I don't have a W2K3 box around to figure out how to find them. Should be accessible through Admin Tools. I'm wondering if something running on the box has exhausted RAM plus swap space, making it impossible for Tomcat to continue or restart. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom realm.authenticate() that would work with any realm - possible?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: Hi Jim. As I recall, your original issue was that there is no OAM plugin for Tomcat, and therefore, you are doing the OAM authentication within the front-end Apache, and then passing the user-id to Tomcat. And then, you find yourself in Tomcat with a user-id, but without any roles corresponding to this user-id. And in order to get such roles, you are now facing a rather complex programming issue at the Tomcat level. I wrote this before, but let me repeat it : are you not doing a lot of work un-necessarily there, and should you not look at this another way ? As far as I understand these Tomcat-level matters, a role in Tomcat is used to control access to resources. And you seem to use Tomcat's declarative type of acess-control, which means that you allow access or not to a given webapp, in function of whether the user-id (which is passed to Tomcat by the front-end) has or not a particular role. And, in the OAM system globally, the fact that a user has or not access to a particular resource, is already managed at the OAM level; but to which OAM level, unfortunately right now, you do not have access from Tomcat. But in this case, all your accesses to Tomcat webapps *always* happen through the front-end, because it is this front-end which obtains the user-id (from OAM) and later passes it to Tomcat. And this front-end thus *has* access to the OAM data. So what is stopping you from : - not using any authentication/access-control at the Tomcat level - but checking all this at the Apache httpd front-end level ? Example : suppose you have 3 webapps app1, app2, app3. You could have at the front-end level these sections : Location /app1 SetHandler jakarta-servlet (same as JkMount /app1) AuthType Oblix require valid-user require .. (whatever) /Location Location /app2 SetHandler jakarta-servlet (same as JkMount /app2) AuthType Oblix require valid-user require .. (whatever) /Location Location /app3 SetHandler jakarta-servlet (same as JkMount /app3) AuthType Oblix require valid-user require .. (whatever) /Location If the user does not pass muster for /app1 according to OAM, then the call will never even make it Tomcat. If the user passes muster, then you can let them access Tomcat's /app1 application, as they have been checked for it. Or am I missing something ? Hi, Yes, you are missing something, something akin to the last mile. Following your example, of /app1, suppose that that is a webapp that requires a known user (principal). The security JSP example in Tomcat is an example of this. You can use something like OAM to protect (permit or deny) access, but once you get to the /app1, you wouldn't be logged into the app itself, not only for declarative type constraints, but also, for example, if the app does things like give you access to only specified resources (e.g., database tables, etc.) based on who you are. So, for example with the security example, with just OAM, and without anything else, you end up on the form login page, instead of it saying Hi, x. Just some examples there... Ok, I may be misunderstanding the scope of OAM within your organisation, maybe because I am going by the OAM documentation as I was browsingt it on the web. If you are using it only as an SSO system and only to get a user-id, then your example is correct. From the documentation, it just sounded like it is much more than that. What I was trying to say is more or less this : if all accesses to your Tomcat applications necessarily go through the front-end, then for all intents and purposes the front-end and Tomcat are functionally one and the same system. Or, to put it another way, you could consider the front-end as just a part of Tomcat; or again to put it yet another way, your front-end /is/ your Tomcat authentication realm. And whatever information you can obtain at the front-end level, you can pass to Tomcat as request attributes, which attributes you can retrieve in Tomat and pass to your applications, for them to use to make any access decision they want. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom realm.authenticate() that would work with any realm - possible?
André Warnier a...@ice-sa.com wrote:
oh...@cox.net wrote:
André Warnier a...@ice-sa.com wrote:
Hi Jim.
As I recall, your original issue was that there is no OAM plugin for
Tomcat, and
therefore, you are doing the OAM authentication within the front-end
Apache, and then
passing the user-id to Tomcat.
And then, you find yourself in Tomcat with a user-id, but without any
roles
corresponding to this user-id.
And in order to get such roles, you are now facing a rather complex
programming issue at
the Tomcat level.
I wrote this before, but let me repeat it : are you not doing a lot of
work un-necessarily
there, and should you not look at this another way ?
As far as I understand these Tomcat-level matters, a role in Tomcat is
used to control
access to resources.
And you seem to use Tomcat's declarative type of acess-control, which
means that you
allow access or not to a given webapp, in function of whether the user-id
(which is passed
to Tomcat by the front-end) has or not a particular role.
And, in the OAM system globally, the fact that a user has or not access to
a particular
resource, is already managed at the OAM level; but to which OAM level,
unfortunately right
now, you do not have access from Tomcat.
But in this case, all your accesses to Tomcat webapps *always* happen
through the
front-end, because it is this front-end which obtains the user-id (from
OAM) and later
passes it to Tomcat. And this front-end thus *has* access to the OAM data.
So what is stopping you from :
- not using any authentication/access-control at the Tomcat level
- but checking all this at the Apache httpd front-end level
?
Example : suppose you have 3 webapps app1, app2, app3.
You could have at the front-end level these sections :
Location /app1
SetHandler jakarta-servlet (same as JkMount /app1)
AuthType Oblix
require valid-user
require .. (whatever)
/Location
Location /app2
SetHandler jakarta-servlet (same as JkMount /app2)
AuthType Oblix
require valid-user
require .. (whatever)
/Location
Location /app3
SetHandler jakarta-servlet (same as JkMount /app3)
AuthType Oblix
require valid-user
require .. (whatever)
/Location
If the user does not pass muster for /app1 according to OAM, then the
call will never
even make it Tomcat.
If the user passes muster, then you can let them access Tomcat's /app1
application, as
they have been checked for it.
Or am I missing something ?
Hi,
Yes, you are missing something, something akin to the last mile.
Following your example, of /app1, suppose that that is a webapp that
requires a known user (principal). The security JSP example in Tomcat is
an example of this.
You can use something like OAM to protect (permit or deny) access, but once
you get to the /app1, you wouldn't be logged into the app itself, not
only for declarative type constraints, but also, for example, if the app
does things like give you access to only specified resources (e.g.,
database tables, etc.) based on who you are. So, for example with the
security example, with just OAM, and without anything else, you end up on
the form login page, instead of it saying Hi, x.
Just some examples there...
Ok, I may be misunderstanding the scope of OAM within your organisation,
maybe because I
am going by the OAM documentation as I was browsingt it on the web.
If you are using it only as an SSO system and only to get a user-id, then
your example is
correct.
From the documentation, it just sounded like it is much more than that.
What I was trying to say is more or less this : if all accesses to your
Tomcat
applications necessarily go through the front-end, then for all intents and
purposes the
front-end and Tomcat are functionally one and the same system. Or, to put it
another way,
you could consider the front-end as just a part of Tomcat; or again to put it
yet another
way, your front-end /is/ your Tomcat authentication realm.
And whatever information you can obtain at the front-end level, you can pass
to Tomcat as
request attributes, which attributes you can retrieve in Tomat and pass to
your
applications, for them to use to make any access decision they want.
Hi Andre,
The thing is, as you yourself mentioned earlier, some (maybe a lot) of systems
(apps), utilize declarative security constraints (e.g., in web.xml), in order
to avoid having to put code in the app that does stuff like (this is just
pseudo-code):
if (user.isInRole(xyz) {
.
.
}
If the app/webapp utilizes declarative security (constraints, etc.), then just
protecting the app's URIs at the Apache isn't sufficient.
I'm not wanting to get in to a debate about the pros/cons of declarative vs.
programmatic. The area that I'm in (my job) is
Re: add and modify globalnamingresources on the fly
I'm working with 7.0.23 - Original Message - From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Cc: Sent: Friday, December 9, 2011 11:36 AM Subject: Re: add and modify globalnamingresources on the fly On 09/12/2011 12:31, Marcelo Romulo Fernandes wrote: Hi people, Is it possible to change globalnamingresources at tomcat and reflect the changes to a running instance without restart? I want do add and change datasources global resources dynamically without restart tomcat! Which version of Tomcat? I don't believe it is possible. p Is it possible? I investigated probe (http://code.google.com/p/psi-probe/), but it only see pool usage and execute queries. thanks in advance marcelo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
